Citrix Secure Private Access

Client internal IP address pools - Preview

The client internal IP address pools contain IP address ranges that can be allocated to each of the logged-in clients. The client internal IP address is required to assign a unique IP address to a user and their device. The client IP address is internal for Secure Private Access and is only available to the customer resource location. The devices from the customer resource location can tunnel traffic to a specific logged-in user’s device using the client’s internal IP address, initiating a server-to-client connection. The client internal IP address can also support source IP stickiness for existing client-to-server tunnel traffic to maintain consistent connections.

Use cases of client internal IP address pools

  • Enable server-to-client connections: A server must initiate a connection with the client devices for tasks such as push configurations, remote assistance, and software installation. The client internal IP address pools enable achieve these tasks by designating a range of IP addresses for client identification. These client internal IP address pools are allocated based on the user context and location. For example, specific IP address ranges can be assigned for user groups such as the HR team.

    To enable server-to-client communication, you must create a server-to-client app and then provide the client machine port and protocol details in addition to the back-end IP address range that is used to connect to the client. For details, see Server-to-client app configuration.

  • Enable client internal IP address stickiness: To maintain consistent connections, some applications require a continuous session with the same client. For details, see Client IP address stickiness.

    For enabling client IP address persistence, see Enable client IP address stickiness for TCP/UDP applications.

    Important:

    To use the source IP address as the internal IP address or the server-initiated connection functionality, ensure the following:

    • The switch or the router connected to the Connector Appliance’s subnet supports Gratuitous ARP.
    • The Port security and Dynamic ARP Inspection (DAI) configuration does not affect the source IP address or server-initiated connection functionality.

IP address pool limitations

Following are some of the limitations of the IP address pool:

  • All Connector Appliances in a resource location must reside within the same IP subnet.
  • The internal IP address pools must consist of IP addresses from the Connector Appliance subnet in the same resource location.
  • The IP addresses within the internal IP address pools must not overlap with any used IP addresses of the Connector Appliances or other devices within the same subnet.
  • If the IP addresses in the pool are exhausted, IP addresses are not assigned to the users and hence server-to-client connections and client internal IP stickiness features cannot be used.
  • A maximum of 3 different IP addresses can be assigned to a user, allowing logins from up to 3 different devices. If the same user logs in from a fourth device, no IP address is assigned, preventing the use of server-to-client initiated connections and client internal IP stickiness.
  • The assigned internal IP address is sticky and remains the same for daily logins and logouts on the same device. However, if a user is inactive for 15 consecutive days, their sticky internal IP address is released and reassigned to a different user.
  • If a user’s assigned resource pool is deleted, the user is not allocated an internal IP address from other pools until the original pool is completely deleted from the system.

Create an intranet IP address pool

  1. Navigate to Settings > IP Pools and then click Create IP Pool.

    Create IP address pool

  2. IP Pool name: Enter a name for the IP pool.
  3. IP Range or CIDR: Enter the range of IP addresses reserved for clients. One of these IP addresses is assigned to the client machines.
  4. Connector Appliance Netmask: (Optional). In case the Connector Appliance network subnet is different from the Internal IP address subnet, the Connector appliance netmask must be entered.
  5. Resource Location: Select the resource location where the back-end server is located. Ensure that at least one Connector Appliance is up.
  6. Allocation type: Select User and select the condition, domain, and the user or user groups to which this pool is applicable.
  7. Click Create.

The IP address pool that you created is listed in the IP Pools page.

IP address pool page

Once the client login is successful, an intranet IP address is assigned to the user from the client internal IP address pool.

Delete an IP address pool

IP address pools can be immediately deleted or over time by using one of the following options.

  • Delete IP Pool by Force: Stops allocating IP addresses to new users and releases unused IP addresses immediately. Active user sessions using the deleted IP addresses might be terminated, resulting in abrupt closures and forced logouts. Users with terminated sessions are allocated new IP addresses only after a different IP address pool is created.
  • Delete IP Pool over time: Stops allocating IP addresses to new users and releasing unused IP addresses immediately. The system waits for the active sessions to log out or expire before fully deleting the pool. Users with terminated sessions are allocated new IP addresses only after a different IP address pool is created.

Note:

We recommend that you schedule a maintenance window and notify users to log out and then initiate deletion of the IP pool over time. If most IP addresses are freed up after the scheduled time, you can force delete the remaining in-use IP addresses. However, we recommend that you do not force delete large IP address pools.

Perform the following steps to delete an IP pool:

  1. Navigate to Settings > IP Pools.

    The list of IP address pools and their details are displayed.

  2. Click the ellipsis (…) next to the address pool that you want to delete, then select either Delete IP pool by force or Delete IP pool over time.

Delete IP address pool

View the IP address utilization data

You can monitor the IP address utilization data from the IP Pool Utilization page. This page provides an overview of the status of the IP addresses.

  • A list of users and the IP addresses allocated to these users.
  • The percentage of available IP addresses that are already allocated and the total number of IP addresses available for allocation.

Admins can use this data to monitor IP address consumption and ensure that enough IP addresses are available for the users.

Perform the following steps to view the IP address utilization details:

  1. Navigate to Settings > IP Pools.

    The list of IP address pools along with their details are displayed in a tabular format.

  2. Click the ellipsis (…) next to the address pool and then click View IP Utilization.

Client internal IP address pools - Preview